Cross-origin resource sharing
Categories
(Firefox :: Sync, defect)
Tracking
()
People
(Reporter: noumansheikh732, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36
Steps to reproduce:
Request:
POST /1.5/173640239/storage/addons?batch=true&commit=true HTTP/1.1
Host: sync-1-us-west1-g.sync.services.mozilla.com
User-Agent: Firefox/83.0 (Windows NT 10.0; Win64; x64) FxSync/1.85.0.20201020173725.desktop
Accept: application/json;q=0.9,/;q=0.2
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
authorization: Hawk id="eyJ1aWQiOiAxNzM2NDAyMzksICJub2RlIjogImh0dHBzOi8vc3luYy0xLXVzLXdlc3QxLWcuc3luYy5zZXJ2aWNlcy5tb3ppbGxhLmNvbSIsICJleHBpcmVzIjogMTYwMzI4MTYxMiwgImZ4YV91aWQiOiAiZjkzYjkyNjZiZGE1NDhiNjliNzExZTJiN2NhMGE3ZDIiLCAiZnhhX2tpZCI6ICIxNTc5MDk5OTQ1Mzk3LUZTaVdDbWswN2dnUS0tLUxqeXhiNXciLCAiaGFzaGVkX2Z4YV91aWQiOiAiYWU0NGJjMzdmYjY5MDA4ZTIxY2EwNGRhOGMyNzI0NGEiLCAiaGFzaGVkX2RldmljZV9pZCI6ICJlMGUwZGY4MWUyNDYyYzYwNGUzYTNiNjdjYjY1NWVjNyIsICJzYWx0IjogIjE2OTE5NiJ9OwAnDG23qfmLW6BAVsn5HXn6OMf7VCOb4BGhYWDpDN4=", ts="1603278016", nonce="jAAJIQX4zWc=", mac="BBTfzRU4rK2w+4NYI2kfqnL3FxehwbyMNJiLMzMfH8M="
content-type: text/plain
x-if-unmodified-since: 0
Origin: null
Content-Length: 459
Connection: close
Pragma: no-cache
Cache-Control: no-cache
[{"payload":"{"ciphertext":"TSgfmUidpTV0FMpr7YqvHytmGXXFdaGDDz4Nt0XEVSAKSYL+lr5LaNmO48wWHTMyuq+xu5ex1yHdcfy80Q/TeIhbfDY1VvQMsicJrmPrd8mnjAdJSVyHJnZGQcu2densdZsH3wUltf1+HSBgFWuSHE+pEifHiUMj3WAvder0VvJ5hHuG6DZptrv89XBrGg/zCbW3o0AOj8P73UqDPKT3+fGCIa8km2B+mQNnvCzFmho=","IV":"xEJ52bP7uC8koxQqmYkGiQ==","hmac":"328ae1715dc6abd2c76fef42f8d8578aeef9f09981ac2ad2e7f95ecc9bd6e16b"}","id":"{d046d9fa-3019-417b-a77d-d4f48247d3ce}","modified":1603275271.788}]
Actual results:
Response:
HTTP/1.1 200 OK
Server: openresty/1.15.8.2
Date: Wed, 21 Oct 2020 11:00:17 GMT
Content-Type: application/json
Content-Length: 91
vary: Origin
access-control-allow-origin: null
x-last-modified: 1603278017.80
x-weave-timestamp: 1603278017.80
Access-Control-Allow-Origin: null
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Max-Age: 1728000
Access-Control-Allow-Headers: DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,X-Conditions-Accepted
Via: 1.1 google
Alt-Svc: clear
Connection: close
{"failed":{},"modified":1603278017.80,"success":["{d046d9fa-3019-417b-a77d-d4f48247d3ce}"]}
Expected results:
Severity of this bug is very high.
Assets:
8 instances of this issue were identified
/1.5/173640239/storage/addons
/1.5/173640239/storage/clients
/1.5/173640239/storage/extension-storage
/1.5/173640239/storage/forms
/1.5/173640239/storage/history
/1.5/173640239/storage/meta/global
/1.5/173640239/storage/passwords
/1.5/173640239/storage/tabs
Explain:
Run burpsuite and intercept the request and as you can see in request when i add origin:null and hit enter so in response you can see access-control-origin: null occur it shows that this instance is vulnerable with CORS.
Issue remediation:
Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of trusted domains.
Impact:
Attacker would treat many victims to visit attacker's website, if victim is logged in, then his personal information is recorded in attacker's server
Comment 1•4 years ago
|
||
I don't entirely understand what is happening here, but it looks related to Sync so I'm going to move it there.
Reporter | ||
Comment 2•4 years ago
|
||
this is just a simple origin changing
Reporter | ||
Comment 3•4 years ago
|
||
https://portswigger.net/web-security/cors here you can read more about this.
Comment 4•4 years ago
|
||
Pretty sure the way sync works, an attacker won't be able to generate a successful ciphertext and hmac payload without access to the local crypto blobs (and if they had those, it'd be game over anyway), and without those the request won't be processed, and that on its own is already enough to make this safe. I also expect that Firefox will not send the hawk Authorization request header without the website setting one (and again, it doesn't have the credentials). So I very much doubt this is valid.
But hopefully Mark can confirm that and/or clarify anything I might have misunderstood.
Comment 5•4 years ago
|
||
Gijs is entirely correct and this is by design. POSTs to this end-point don't come from an origin, but from Firefox itself. If you can explain what actual vulnerability exists here I'm happy to re-open, but I'm confident none exists.
Reporter | ||
Comment 6•4 years ago
|
||
is i am able for bounty ?
Reporter | ||
Comment 7•4 years ago
|
||
because hackerone offer a big amount of bounty in this vulnerability because the severity of this vulnerability is very high
Comment 8•4 years ago
|
||
(In reply to Mohammad Nouman from comment #7)
because hackerone offer a big amount of bounty in this vulnerability because the severity of this vulnerability is very high
I don't doubt that hackerone pays bounties when the vulnerability is serious, but we have already explained in comment #4 and comment #5 that we don't understand how/why you believe your report is a serious vulnerability - or a vulnerability at all, really. If you think we should be paying you a bounty, you would need to show that/why this is a real issue.
Updated•9 months ago
|
Description
•